Added option ZM_AUTH_CASE_INSENSITIVE_USERNAMES to match mixed case usernames to lower case usernames in database ZoneMinder/zoneminder#3516

2022-09-02 11:58:02 +01:00 · 2022-09-02 11:58:02 +01:00 · 63e5b63eec
parent 4508940c30
commit 63e5b63eec
3 changed files with 32 additions and 3 deletions
--- a/docs/userguide/options/options_system.rst
+++ b/docs/userguide/options/options_system.rst
@ -16,6 +16,8 @@ OPT_USE_AUTH - ZoneMinder can run in two modes. The simplest is an entirely unau

 AUTH_TYPE - ZoneMinder can use two methods to authenticate users when running in authenticated mode. The first is a builtin method where ZoneMinder provides facilities for users to log in and maintains track of their identity. The second method allows interworking with other methods such as http basic authentication which passes an independently authenticated 'remote' user via http. In this case ZoneMinder would use the supplied user without additional authentication provided such a user is configured in ZoneMinder.

+AUTH_CASE_INSENSITIVE_USERNAMES - This option makes usernames case insensitive when authenticating. Matches against lower-case usernames in the database. May be used with "remote" AUTH_TYPE and LDAP authentication.
+
 AUTH_RELAY - When ZoneMinder is running in authenticated mode it can pass user details between the web pages and the back end processes. There are two methods for doing this. This first is to use a time limited hashed string which contains no direct username or password details, the second method is to pass the username and passwords around in plaintext. This method is not recommend except where you do not have the md5 libraries available on your system or you have a completely isolated system with no external access. You can also switch off authentication relaying if your system is isolated in other ways.

 AUTH_HASH_SECRET - When ZoneMinder is running in hashed authenticated mode it is necessary to generate hashed strings containing encrypted sensitive information such as usernames and passwords. Although these strings are reasonably secure the addition of a random secret increases security substantially. Note that if you are using the new token based APIs, then this field is mandatory with ZM 1.34 and above.
--- a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in
+++ b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in
@ -313,6 +313,20 @@ our @options = (
    },
    category    => 'system',
  },
+  {
+    name        => 'ZM_AUTH_CASE_INSENSITIVE_USERNAMES',
+    default     => 'no',
+    description => 'Case insensitive username authentication',
+    help        => q`
+      This option makes usernames case insensitive when
+      authenticating. Matches against lower-case usernames in the
+      database. May be used with "remote" AUTH_TYPE and LDAP
+      authentication.
+      `,
+    requires    => [ { name=>'ZM_OPT_USE_AUTH', value=>'yes' } ],
+    type        => $types{boolean},
+    category    => 'system',
+  },
  {
    name        => 'ZM_AUTH_RELAY',
    default     => 'hashed',
--- a/web/includes/auth.php
+++ b/web/includes/auth.php
@ -60,7 +60,12 @@ function migrateHash($user, $pass) {
 function validateUser($username='', $password='') {
  $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
  // local user, shouldn't affect the global user
-  $user = dbFetchOne($sql, NULL, array($username));
+  $user = null; // Not global
+  if (ZM_AUTH_CASE_INSENSITIVE_USERNAMES) {
+      $user = dbFetchOne($sql, NULL, array(strtolower($username)));
+  } else {
+      $user = dbFetchOne($sql, NULL, array($username));
+  }
  if (!$user) {
    return array(false, "Could not retrieve user $username details");
  }
@ -268,7 +273,11 @@ function userFromSession() {
    } else {
      # Need to refresh permissions and validate that the user still exists
      $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
-      $user = dbFetchOne($sql, NULL, array($_SESSION['username']));
+      if (ZM_AUTH_CASE_INSENSITIVE_USERNAMES) {
+        $user = dbFetchOne($sql, NULL, array(strtolower($_SESSION['username'])));
+      } else {
+        $user = dbFetchOne($sql, NULL, array(c));
+      }
    }
  }
  return $user;
@ -318,7 +327,11 @@ if (ZM_OPT_USE_AUTH) {
    } else if ((ZM_AUTH_TYPE == 'remote') and !empty($_SERVER['REMOTE_USER'])) {
      $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
      // local user, shouldn't affect the global user
-      $user = dbFetchOne($sql, NULL, array($_SERVER['REMOTE_USER']));
+      if (ZM_AUTH_CASE_INSENSITIVE_USERNAMES) {
+        $user = dbFetchOne($sql, NULL, array(strtolower($_SERVER['REMOTE_USER'])));
+      } else {
+        $user = dbFetchOne($sql, NULL, array($_SERVER['REMOTE_USER']));
+      }
    } else {
      $user = userFromSession();
    }